Documentation

Enforcement#

FirstOps enforces policies through two complementary channels — the MCP Gateway for tool calls and Client Hooks for shell commands, file operations, and other agent actions. Both channels share the same policy engine and audit trail.

Two Enforcement Channels#




  
    
  
  
    
  


  
  
  Channel 1: MCP Gateway


  
  
  Channel 2: Client Hooks







  
  Policy Engine


  
  Audit Trail


  
  MCP Tool Call


  
  MCP Proxy


  
  Shell / File / Code Action


  
  Daemon

MCP Gateway (server-side)#

Every MCP tool call routed through FirstOps is evaluated by the policy engine. This channel handles:

  • Tool call parameters and content
  • Credential brokering (injecting upstream API keys and OAuth tokens)
  • Tool visibility (controlling which tools an agent can see)
  • Bidirectional enforcement — policies are evaluated on both the outbound request and the inbound response

This works for all agent types — coding agents, autonomous agents, and framework-based agents.

Client Hooks (client-side)#

Coding agents (Claude Code, Cursor) do more than call MCP tools. They execute shell commands, read and write files, install packages, and make direct network calls. The MCP gateway never sees these actions.

FirstOps intercepts them through the agent's native hook system. Before the agent executes a shell command or writes to a file, a hook fires and the action is evaluated against the principal's policies.

What client hooks intercept:

ActionExample
Shell command executionrm -rf /, curl to external endpoints, pip install
File writes and editsWriting to .env, SSH keys, CI configs
File readsReading credentials, secrets, sensitive configs
Code changesModifications to security-critical files

Hook decisions:

  • Allow — the action proceeds
  • Deny — the action is blocked, the agent receives a reason
  • Ask — the user is prompted to approve or reject

This channel works for coding agents that support hook systems (Claude Code, Cursor).

Why both channels are needed#

CapabilityMCP GatewayClient Hooks
MCP tool calls
Credential brokering
Tool visibility control
Shell command interception
File read/write interception
Package installation scanning
Works for all agent typesCoding agents

An agent governed only by the MCP gateway could still curl an API directly, write secrets to disk, or execute arbitrary commands — all invisible to the gateway. Client hooks close that gap.

Policy Decisions#




  
    
  
  
    
  









  
  Deny match


  
  Modify match


  
  No deny/modify


  
  Flag match


  
  Action arrives


  
  Policy rules evaluated


  
  Action BLOCKED


  
  Content modified


  
  Action ALLOWED


  
  Flag recorded in audit

Deny#

If any deny rule matches, the action is blocked immediately. The agent receives a structured error with the reason.

Modify#

Modify rules alter content before forwarding. Used for scrubbing sensitive data (PII removal, credential redaction). Applies to MCP gateway traffic.

Flag#

Flag rules mark actions for review without blocking them. Flags appear in the audit trail for security team review.

Allow#

If no deny rule matched, the action proceeds (potentially modified, potentially flagged).

Bidirectional Enforcement (MCP Gateway)#

For MCP tool calls, the engine evaluates both directions:

  • Outbound (agent to upstream tool) — applied before forwarding the request
  • Inbound (upstream tool to agent) — applied to the response before returning it to the agent

This means sensitive data can be caught whether it's leaving through a request or arriving in a response.

Authentication is Always Enforced#

DPoP identity verification is enforced on every request. If authentication fails, the request is denied — no exceptions. A valid, verified identity is required before any policy evaluation begins.

Policy Structure#

Policies contain rules combined with AND/OR logic. Each rule evaluates a condition against request content — tool name, method, parameter values, or content patterns.

Policy Attachment#

Policies are attached to Access Groups, not to individual principals. This means:

  • All principals in a group share the same policy set
  • Moving a principal between groups changes their policies instantly
  • The Default Access Group provides baseline policies for unmapped principals

Policy Templates#

FirstOps provides pre-configured policy templates that are applied to every new tenant:

TemplateActionDescription
Prompt Injection ProtectionDenyBlocks common injection patterns
PII ProtectionModifyRemoves PII from outbound requests

These templates are copied into each tenant's policy set at creation. Admins can modify them or create custom policies through the dashboard. Each tenant's policies are fully independent — changes in one tenant never affect another.